[kwlug-disc] Systemd resolv issue ...

Chris Irwin chris at chrisirwin.ca
Wed Feb 11 18:00:45 EST 2026 

On Wed, Feb 11, 2026 at 04:40:56PM -0500, Khalid Baheyeldin wrote:
>
>Is the ~. a wildcard?
>If it is, does that mean "everything"?i.e. that all DNS queries will go
>through the VPN?
>Why did Wireguard force resolveconf to use the -x flag?

According to `man resolvectl`, ~. indicates this will be preferred over 
any other DNS server (except for specific domains -- lan, in your case)

>I don't want the VPN to be the default DNS.
>I want all DNS queries to go through enps30, and only domains ending with
>.priv to go through wg0

Brief re-read of your wireguard config and the `man wg-quick`:

     DNS  —  a  comma-separated  list  of  IP (v4 or v6) addresses to be 
     set as the interface's DNS servers, or non-IP hostnames to be set as 
     the interface's DNS search domains. May be specified multiple times. 
     Upon bringing the interface up, this runs `resolvconf -a 
     tun.INTERFACE -m 0 -x` and upon bringing it down, this runs 
     `resolvconf -d tun.INTERFACE`. If these particular invocations of  
     resolvconf(8) are undesirable, the PostUp and PostDown keys below 
     may be used instead.

It looks like there's two issues:

1. You didn't define a search domain of .priv in your config. You can do 
that on the DNS line along with your other server. For example:

     DNS = 10.10.0.1, priv

However, this is beside the point due to #2..

2. wg-quick is hard-coded for that -x, exclusive mode. That will force 
the ~. entry you saw before, indicating that this DNS server is 
preferred above all others (in addition to the +DefaultRoute, which 
would probably *still* prefer this DNS server).

Looks like the only way around that is to not define DNS at all, and 
instead use PostUp commands. That is mentioned in the manpage. 
Presumably something like this:

     PostUp = resolvectl dns %i 10.10.0.1; resolvectl domain %i priv

You probably need a PostDown as well to clean up. Maybe you want to use 
`resolveconf` instead, using the commands from the manpage quoted above? 
I dunno, I don't have a lot of experience using wireguard. This seems to 
be a bit of a limitation of wg-quick specifically.

I tried using wireguard from my laptop to my router. Having the 
wireguard config loaded through GNOME network settings did not do the ~. 
search domain thing, but it did still set +DefaultRoute, even though it 
wasn't supposed to be my default route. It also set an actual default 
route (`ip route`), although I don't think it should have done that, 
either.
     
I'd have spent more time troubleshooting that, but the WG link was 
non-functional, probably because I'm at home, inside the router I'm 
trying to VPN to...


-- 
Chris Irwin

email:   chris at chrisirwin.ca
   web: https://chrisirwin.ca

More information about the kwlug-disc mailing list